Tumblr breach resulted in the theft of 65 million e-mail addresses and passwords, analysis reveals

Tumblr earlier this month revealed that a third party had obtained access to a set of user e-mail addresses and passwords dating back to early 2013. The company, now owned by Yahoo, didn’t reveal how many accounts were compromised but said it was requiring affected users to set up a new password. Now, we know the answer.

Corroborating Tumblr’s account of the breach, the passwords weren’t of the plaintext variety but were salted and hashed, techniques used to make passwords more secure and thus, more difficult to crack. Tumblr didn’t say what algorithm it used to hash the passwords although according to at least one underground listing for the data, it’s SHA1.

Because they were salted, the publication notes, the seller is only asking around $150. Given the age of the breach and the bad practices used at that time (and still today, largely), Hunt estimates that at least half of the passwords could be cracked.

Nevertheless, Hunt has listed the breach on his site, Have I Been Pwned, as the third largest ever, behind LinkedIn’s 164 million account breach and Adobe’s 152 million stolen accounts.

Perhaps more worrisome, however, is the growing trend of dated breaches cropping up lately. Hunt ponders this very question in a recent blog post, wondering just how many more “mega” breaches there are out there just waiting to be released.